Message Flow for Basic NTLM Authentication

NTLM is an ongoing extension to the original LM authentication protocol. NTLM is conceptually straightforward and performs only client authentication. NTLM has undergone some revision (known as NTLMv2), which incorporates additional information into the computation of the response, but still follows the same general message flow as shown in the following figure:


Figure 6: Basic NTLM authentication

These challenge/response messages are in fact carried by an application protocol. The basic flow of the security tokens or messages is as follows:

  1. The client sends an initial message to the server, advertising certain options or capabilities such as cryptographic algorithm support (1).

  2. The server creates a challenge, c, and returns the challenge and the options or capabilities that it can support to the client (2).

  3. The client computes a function on the challenge, resp = f(c, password), and sends the results to the server, along with the user's textual name and domain (3).

  4. The server looks up the user (by the name passed) and computes the same function, f(c, user's password). If the result matches resp (that is, what the client sent in step 3), the passwords are presumed to match, and the user is authenticated (4).

The message flow above is for illustrative purposes only. For technical detailed information about NTLM, see [MS-NLMP]. For example, password (step 3 above) is (in practice) a hashed, derivative binary form of the actual textual password.